This paper presents an empirical analysis of the Web3 security landscape over the four-year and three-month period from 1 January 2022 to 27 March 2026. The dataset combines 23,818 public audit findings produced by 22 independent security firms with 218 real-world exploit incidents documented by rekt.news, representing aggregate losses of approximately US$7.76 billion. We report three central findings. First, the distribution of audit findings (by severity, category, and technology stack) is substantially stable across the observation window, with the Critical-plus-High share remaining within a 15-17% band in every complete year. Second, the categorical distribution of realised exploit losses does not correspond to the categorical distribution of audit findings: private-key compromise, phishing, and social-engineering vectors account for approximately 49.6% of cumulative losses yet represent a negligible share of published audit findings. Third, realised losses exhibit extreme concentration: the eight largest incidents account for 50.6% of cumulative dollar losses and the twenty largest for 71.4%, a distributional shape inconsistent with Gaussian assumptions. Throughout, we adopt the analytical convention that audit outputs and exploit outputs describe different populations and present the two datasets in parallel rather than as directly comparable samples.

翻译：本文对2022年1月1日至2026年3月27日这四年零三个月期间的Web3安全态势进行了实证分析。数据集整合了22家独立安全公司发布的23,818份公开审计结果，以及rekt.news记录的218起真实世界攻击事件，累计损失约77.6亿美元。我们报告三项核心发现：第一，审计结果（按严重性、类别和技术栈划分）在观测窗口内的分布高度稳定，完整年份中"严重+高危"占比始终维持在15-17%区间；第二，实际攻击损失的类型分布与审计结果的类型分布并不对应——私钥泄露、钓鱼攻击和社会工程学向量累计造成约49.6%的损失，但在公开审计结果中占比微乎其微；第三，实际损失呈现极端集中性：8起最大事件占累计美元损失的50.6%，20起最大事件占71.4%，这种分布形态不符合高斯假设。全文采用分析惯例如下：将审计输出与攻击输出视为描述不同总体的数据集，并行呈现两种数据而非直接进行样本比较。